[Date Prev][Date Next]
Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos and DIGEST-MD5)
Howard Chu wrote:
Jose Gonzalez Gomez wrote:
o Of course, make use of TLS/SSL if you are planning to
provide simple bind authentication. You don't want to blow
out your whole Kerberos security having those passwords
floating around your network, do you?
This is a strong argument against supporting Simple Binds at all, when
I agree with you, but few, if not none of the most popular software
you need to give access to OpenLDAP support nor GSSAPI neither SASL when
authenticating against an LDAP directory. I'm thinking of mail clients
(mozilla, outlook,...) that use LDAP as a source for their address
books. Unfortunately you must give access to them, and in some cases you
need to authenticate the user accessing the directory so you may decide
what information she may see.
Anyway, OpenLDAP doesn't completely implement the whole
LDAPv3 standard, so maybe we won't miss DIGEST-MD5 that much until
there is an easier way of doing it...
Since LDAPv3 is an extensible protocol, I'm not sure what this
I just wast joking. I'm still trying to decide what would be the
best combination of software/config to offer as much services as
possible, so I was trying to include DIGEST-MD5 authentication in the
whole picture. SASL/GSSAPI and simple bind are really straight forward
to setup once you get all the pieces together, but it seems that
DIGEST-MD5 is not so simple to setup right now, so I will give up (by
now) to include it in my environment.